The MrbMiner Malware
A new crypto-mining malware known under the name of MrbMiner has recently made its way to the top of the security news headlines. This threat is a creation of a gang of cybercriminals that, over a period of a few months, has managed to hack into and download the crypto-miner on the Microsoft SQL Servers.
Professionals explains that the malware has managed to infect a lot of machines exclusively by scanning the web for MSSQL servers and then conducting brute-force attacks on them by trying out different poor passwords and common user names on the admin account.
As soon as the initial access to the system has been obtained through brute-forcing the admin account, the malicious actors then downloaded a malicious file named assm.exe, the role of which was to install a reboot persistence mechanism and to set up an account for backdoor access in the future. The backdooring account used the “@fg125kjnhn987” password and a “Default” username for access.
The last stage of the infection phase was to establish connection with the hackers’ command and control server and to download a Monero (XMR) cryptocurrency-mining program that exploited the local server resources and mined XMR coins into the attackers’ managed accounts.
Malware variants for Linux and ARM were also found
Security researchers informed that infections were registered only in the MSSQL servers. According to their findings, however, the Command and Control server of the MrbMiner gang contained copies of the malware, which were written to attack Linux and ARM systems.
The analysis of the Linux version of the MrbMiner malware showed that the infection was linked to a Monero wallet where the funds were generated. The address of that wallet had nearly $300 ( 3.38 XMR) in it, indicating the operation of the Linux version. However, detailed information regarding these attacks was not revealed. In comparison, the MrbMiner version that managed to compromise MSSQL servers had nearly $630 (7 XMR) in its connected Monero wallet.
These sums may look like nothing significant, but considering the fact that the crypto-mining criminal gangs are known for using multiple wallets for their malicious operations, it is assumed that the malicious actors behind the MrbMiner malware have most likely generated much bigger sums from their attacks.
In regards to the new threat, system administrators are advised to scan their MSSQL servers for a backdoor account with the following username/password – Default/@fg125kjnhn987. In the event that this account has been installed, the recommendation is for a full network check and security audit.